Methods and apparatus for securing keystrokes from being intercepted between the keyboard and a browser

ABSTRACT

The invention described herein provides a method and system for foiling a keylogger by creating a custom keyboard driver and passing the keystrokes directly to the browser in an encrypted format. The browser (which is used to access the Internet) has a component that decrypts the keystroke before it is sent to the website. Thus the present invention enables the user to go to any website and enter sensitive information (passwords, credit card numbers, etc.) without the keystrokes being intercepted by Keyloggers. 
     In general terms, the invention described herein provides a method and system for (1) modifying the keyboard driver, (2) encrypting the keystrokes between the keyboard driver and the browser, and (3) notifying the user if the invention has been compromised.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of Provisional Patent Application No. 60/765,141 filed on Feb. 2, 2006.

STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH OR DEVELOPMENT

Not Applicable.

REFERENCE TO SEQUENCE LISTING, A TABLE, OR A COMPUTER PROGRAM LISTING COMPACT DISK APPENDIX

Not Applicable.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates generally to computer security and, more particularly, to a method and apparatus of encrypting keystrokes, entered on a computer keyboard, before they are processed by a browser so that resident keyloggers cannot capture them.

2. Description of the Related Art

What is a Keylogger?

A Keylogger is a software program that runs in the background, recording all the keystrokes. Once keystrokes are logged, they are hidden in the machine for later retrieval, or shipped raw to the attacker. The attacker then peruses them carefully in the hopes of either finding passwords, or possibly other useful information such as credit card numbers, social security numbers or any other information used to commit identity theft.

A keyloggers can enter a user's computer in the following ways—(1) They can be embedded in images and music files which the user downloads when they click on pictures or mp3 files. (2) They can be downloaded inadvertently when a user browses a malicious web site. (3) They can be embedded in a virus, spyware or Trojan horse. (4) They can be bundled as a part of software that a user downloads for free.

How Keyloggers Work

When a user presses a key on the keyboard, the keyboard device driver receives scan codes from the keyboard, which are sent to the keyboard layout where they are translated into messages and posted to the appropriate window in the application. Assigned to each key on a keyboard is a unique value called a scan code, a device-dependent identifier for the key on the keyboard. A keyboard generates two scan codes when the user types a key—one when the user presses the key and another when the user releases the key.

The keyboard device driver interprets a scan code and translates it to a virtual-key code, a device-independent value defined by the system that identifies the purpose of a key. After translating a scan code, the keyboard driver creates a message that includes the scan code, the virtual-key code, and other information about the keystroke, and then places the message in the system message queue. The system removes the message from the system message queue and posts it to the message queue of the appropriate thread of the application. Eventually, the thread's message loop removes the message and passes it to the appropriate window procedure of the application for processing.

A keylogger can intercept the keystroke at any point in the chain. It can intercept it in any of following ways—(1) the keyboard driver level—by replacing the keyboard driver with a rogue driver, (2) by adding filters between the keyboard driver and the system message queue. The filter receives keystrokes from the keyboard driver before it is sent to the message queue. and (3) the system message queue level—by hooking into the Windows message queue. A hook is a callback function provided by the keylogger to the system. When a keystroke message arrives in the message queue, the callback function associated with the keylogger is called and it is passed the keystroke information. The keylogger then stores the keystroke data in a file which is later sent to the hacker via an email, an MC channel or some other means.

Current State-of-the Art in Anti-Keylogging

Currently, there are two ways to stopping keyloggers—(1) detecting them and (2) preventing them from hooking the keystroke messages.

Keyloggers can be detected by analyzing their signatures. Signatures comprise the characteristics of the keylogger such as file size, file name, a checksum, or registry entries. The drawback of this method is that the signatures need to be constantly updated and is not effective against unknown keyloggers.

Keyloggers can be prevented from hooking the keystroke messages by placing a hook before the keylogger's hook and preventing the keystroke messages from going to the keylogger. The drawback of this method is that there is no way to guarantee that a hook can be placed before the keylogger's hook.

BRIEF SUMMARY OF THE INVENTION

The present invention foils a keylogger by a novel way—creating a custom keyboard driver and passing the keystrokes directly to the browser in an encrypted format. The browser (which is used to access the Internet) has a component (a Browser Helper Object) that decrypts the keystroke before it is sent to the website. Thus, the present invention enables the user to go to any website and enter sensitive information (passwords, credit card numbers, etc.) without the keystrokes being intercepted by Keyloggers.

In general terms, the invention described herein provides a method and apparatus for modifying the keyboard driver, encrypting the keystrokes between the keyboard driver and a browser component, and putting the decrypted keystrokes into the browser. Also, the invention has a mechanism to detect if its operation is foiled and make the user aware that the protection mechanism has been compromised.

OBJECT AND FEATURES OF THE INVENTION

In accordance with a first aspect of the invention, the invention features a methodology for taking control of the keyboard at the hardware level via a proprietary keyboard driver, encrypt the keystrokes and send them the browser, where they are decrypted.

In accordance with a second aspect of the invention, the invention features a methodology to detect if its operation is foiled and make the user aware that the protection mechanism has been compromised.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING

FIG. 1 depicts the methodology to process keystrokes that exists today.

FIG. 2 depicts the novel methodology to process keystrokes that is proposed by this invention.

FIG. 3 depicts the Proprietary Device Driver.

FIG. 4 depicts the Browser Component.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

Exemplary embodiments of the invention are described herein in terms of processes. Efficient prototypes of such processes have been implemented as computer system software on general-purpose PC hardware.

In accordance with a first aspect of the invention, the invention features a methodology for taking control of the keyboard at the hardware level via a proprietary keyboard driver, encrypt the keystrokes and send them the browser, where they are decrypted.

FIG. 1 depicts the methodology to process keystrokes that exists today. When a key is pressed on the Keyboard 101, an interrupt is generated which is sent to the Interrupt Controller 102. The Interrupt Controller 102 goes to a specific location in the Interrupt Device Table 103 which contains the address of the Keyboard Device Driver 104 which will process the interrupt. The Keyboard Device Driver 104 retrieves the keystroke scan code, converts the scan code to virtual-key code, creates a message that includes the scan code, the virtual-key code, and other information about the keystroke, and sends it to the System Message Queue 105. The message is retrieved by the Browser 106 which displays the keystroke.

FIG. 2 depicts the novel methodology to process keystrokes that is proposed by this invention. The components that implement the invention are the Proprietary Device Driver 107 and the Browser Component 108. When the Browser 106 has focus, the Browser Component 108 sends a message to the Proprietary Device Driver 107 to modify the Interrupt Device Table 103 to point to the Proprietary Device Driver 107 for handling keyboard interrupts.

When a key is pressed on the Keyboard 101, an interrupt is generated which is sent to the Interrupt Controller 102. The Interrupt Controller 102 goes to a specific location in the Interrupt Device Table 103 which contains the address of the Proprietary Device Driver 107 which will process the interrupt. The Proprietary Device Driver 107 retrieves the keystroke scan code, converts the scan code to virtual-key code, creates a message that includes the scan code, the virtual-key code, and other information about the keystroke, encrypts the message and sends it to the Browser Component 108. The Browser Component 108 decrypts the message and sends it to the Browser 106 which displays the keystroke.

FIG. 3 depicts the Proprietary Device Driver. It consists of (1) the IDT Interface 109 which communicates with the system to make changes to the Interrupt Device Table 103 (FIG. 1), (2) the Keyboard Device Driver 110 which retrieves the keystroke entered by the user, and (3) the Keystroke Encrypter 111 which encrypts the keystroke scan code and the virtual-key code, and (4) the Browser Component Interface 112 which communicates with the Browser Component 108 (FIG. 2).

FIG. 4 depicts the Browser Component. It consists of (1) the Proprietary Device Driver Interface 113 which communicates with the Proprietary Device Driver 107 (FIG. 2), (2) the Keystroke Decrypter 114 which decrypts the encrypted scan code and the virtual-key code, and (3) The Browser Interface 115 which sends the decrypted keystroke message to the Browser 106 (FIG. 1).

In accordance with a second aspect of the invention, the invention features a methodology to detect if its operation is foiled and make the user aware that the protection mechanism has been compromised.

Referring to FIG. 2, when the Browser 106 has focus, the Browser Component 108 sends a message to the Proprietary Device Driver 107 to modify the Interrupt Device Table 103 to point to the Proprietary Device Driver 107 for handling keyboard interrupts. If the Proprietary Device Driver 107 is unable to modify the Interrupt Device Table 103, it realizes that the system has been compromised by a hacker and displays a message to the user that the system has been compromised. 

1-9. (canceled)
 10. A method for securing keystrokes from being intercepted between a keyboard and an application on a computing device, the method comprising: (a) running a proprietary keyboard driver on the computing device for handling keystrokes generated by the keyboard; (b) retrieving the keystrokes using the proprietary keyboard driver, wherein retrieving the keystrokes includes bypassing a non-proprietary keyboard driver and a system message queue associated with the computing device such that the keystrokes are processed by the proprietary keyboard driver and are not processed by the non-proprietary keyboard driver or by the system message queue; (c) encrypting the keystrokes using the proprietary keyboard driver; (d) sending the encrypted keystrokes to the application; and (e) decrypting the encrypted keystrokes using the application.
 11. The method of claim 10, wherein step (c) comprises using one of symmetric keys and asymmetric keys.
 12. The method of claim 10, wherein the application is a browser, and wherein the application includes a BrowserHelper Object that appears as a toolbar.
 13. The method of claim 10, further comprising selectively enabling or disabling the encryption of the keystrokes.
 14. The method of claim 13, wherein selectively enabling or disabling the encryption of the keystrokes comprises: (i) determining whether a window of the application has focus; (ii) in response to determining that the window has focus, enabling the encryption of the keystrokes; and (iii) in response to determining that the window does not have focus, disabling the encryption of the keystrokes.
 15. A method for securing keystrokes on a computing device from being intercepted between a keyboard of said computing device and a software application, the method comprising: (a) running a proprietary keyboard driver on the computing device for handling keystrokes generated by the keyboard; (b) retrieving the keystrokes using the proprietary keyboard driver, wherein retrieving the keystrokes includes bypassing a non-proprietary keyboard driver and a system message queue associated with the computing device such that the keystrokes are processed by the proprietary keyboard driver and are not processed by the non-proprietary keyboard driver or by the system message queue; (c) encrypting the keystrokes using the proprietary keyboard driver; (d) sending the encrypted keystrokes to a decrypting component; and (e) decrypting the encrypted keystrokes using the decrypting component.
 16. A method for securing keystrokes on a computing device from being intercepted between a keyboard of said computing device running a first keyboard driver and a software application, the method comprising: (a) running a second keyboard driver on the computing device for handling keystrokes generated by the keyboard; (b) retrieving the keystrokes using the second keyboard driver, wherein retrieving the keystrokes includes bypassing said first keyboard driver and a system message queue associated with the computing device such that the keystrokes are processed by the second keyboard driver and are not processed by the first keyboard driver or by the system message queue; (c) encrypting the keystrokes using the second keyboard driver; (d) sending the encrypted keystrokes to a decrypting component; and (e) decrypting the encrypted keystrokes using the decrypting component.
 17. A system for securing keystrokes from being intercepted between a keyboard and an application on a computing device, the system comprising: a proprietary keyboard driver running on the computing device for: handling keystrokes generated by the keyboard; retrieving the keystrokes, wherein retrieving the keystrokes includes bypassing a non-proprietary keyboard driver and a system message queue associated with the computing device such that the keystrokes are processed by the proprietary keyboard driver and are not processed by the non-proprietary keyboard driver or by the system message queue; encrypting the keystrokes; and sending the encrypted keystrokes to the application; and the application running on the computing device for receiving and decrypting the encrypted keystrokes.
 18. The system of claim 17, wherein the proprietary keyboard drivers encrypts the keystrokes using one of symmetric keys and asymmetric keys.
 19. The system of claim 17, wherein the application includes a Helper Object.
 20. The system of claim 17, wherein the proprietary keyboard is configured for selectively enabling or disabling the encryption of the keystrokes.
 21. The system of claim 20, wherein selectively enabling or disabling the encryption of the keystrokes comprises: (i) determining whether a window of the application has focus; (ii) in response to determining that the window has focus, enabling the encryption of the keystrokes; and (iii) in response to determining that the window does not have focus, disabling the encryption of the keystrokes.
 22. A system for securing keystrokes on a computing device from being intercepted between a keyboard of said computing device and a software application, the system comprising: a proprietary keyboard driver running on the computing device for: handling keystrokes generated by the keyboard; retrieving the keystrokes, wherein retrieving the keystrokes includes bypassing a non-proprietary keyboard driver and a system message queue associated with the computing device such that the keystrokes are processed by the proprietary keyboard driver and are not processed by the non-proprietary keyboard driver or by the system message queue; encrypting the keystrokes; and sending the encrypted keystrokes to a decrypting component; and the decrypting component running on the computing device for decrypting the encrypted keystrokes.
 23. A system for securing keystrokes on a computing device from being intercepted between a keyboard of said computing device running a first keyboard driver and a software application, the method comprising: a second keyboard driver running on the computing device for: handling keystrokes generated by the keyboard; retrieving the keystrokes, wherein retrieving the keystrokes includes bypassing said first keyboard driver and a system message queue associated with the computing device such that the keystrokes are processed by the second keyboard driver and are not processed by the first keyboard driver or by the system message queue; encrypting the keystrokes; and sending the encrypted keystrokes to a decrypting component; and the decrypting component running on the computing device for decrypting the encrypted keystrokes.
 24. A method for securing keystrokes from being intercepted between a keyboard and a software application running on a computing device, the method comprising: (a) running a proprietary keyboard driver on the computing device for handling keystrokes generated by the keyboard; (b) retrieving the keystrokes using the proprietary keyboard driver, wherein retrieving the keystrokes includes bypassing a non-proprietary keyboard driver and a system message queue associated with the computing device such that the keystrokes are processed by the proprietary keyboard driver and are not processed by the non-proprietary keyboard driver or by the system message queue; (c) encrypting the keystrokes using the proprietary keyboard driver; (d) sending the encrypted keystrokes to a decrypting component; and (e) decrypting the encrypted keystrokes using the decrypting component.
 25. The method of claim 24, wherein step (c) comprises using one of symmetric keys and asymmetric keys.
 26. The method of claim 24, wherein the decrypting component includes a Helper Object.
 27. The method of claim 25, wherein the symmetric keys include one of Data Encryption Standard (DES), triple Data Encryption Standard (3DES), Rivest Cipher 4 (RC4), Blowfish, Advanced Encryption Standard (AES) keys, or any type or method of encryption and wherein the asymmetric keys include Public Key Infrastructure (PKI) keys.
 28. The method of claim 24, further comprising selectively enabling or disabling the encryption of the keystrokes.
 29. The method of claim 28, wherein selectively enabling or disabling the encryption of the keystrokes comprises: (i) determining whether a window of the application has focus; (ii) in response to determining that the window of the application has focus, enabling the encryption of the keystrokes; and (iii) in response to determining that the window of the application does not have focus, disabling the encryption of the keystrokes.
 30. A system for securing keystrokes from being intercepted between a keyboard and a software application running on a computing device, the system comprising: a proprietary keyboard driver running on the computing device for: handling keystrokes generated by the keyboard; retrieving the keystrokes, wherein retrieving the keystrokes includes bypassing a non-proprietary keyboard driver and a system message queue associated with the computing device such that the keystrokes are processed by the proprietary keyboard driver and are not processed by the non-proprietary keyboard driver or by the system message queue; encrypting the keystrokes using the proprietary keyboard driver; and sending the encrypted keystrokes to a decrypting component; and the decrypting component, running on the computing device, for decrypting the encrypted keystrokes.
 31. The system of claim 30, wherein the proprietary keyboard driver encrypts the keystrokes using one of symmetric keys and asymmetric keys.
 32. The system of claim 30, wherein the decrypting component includes a Helper Object.
 33. The system of claim 31, wherein the symmetric keys include one of Data Encryption Standard (DES), triple Data Encryption Standard (3DES), Rivest Cipher 4 (RC4), Blowfish, Advanced Encryption Standard (AES) keys, or any type or method of encryption and wherein the asymmetric keys include Public Key Infrastructure (PKI) keys.
 34. The system of claim 30, wherein the proprietary keyboard driver is configured for selectively enabling or disabling the encryption of the keystrokes.
 35. The system of claim 34, wherein selectively enabling or disabling the encryption of the keystrokes comprises: (i) determining whether a browser window has focus; (ii) in response to determining that the browser window has focus, enabling the encryption of the keystrokes; and (iii) in response to determining that the browser window does not have focus, disabling the encryption of the keystrokes.
 36. A method for securing keystrokes from being intercepted between a keyboard and an application on a computing device, the method comprising: (a) running a proprietary keyboard driver on the computing device for handling keystrokes generated by the keyboard; (b) retrieving the keystrokes using the proprietary keyboard driver, wherein retrieving the keystrokes includes bypassing a non-proprietary keyboard driver and a system message queue associated with the computing device such that the keystrokes are processed by the proprietary keyboard driver and are not processed by the non-proprietary keyboard driver or by the system message queue; (c) altering the keystrokes using the proprietary keyboard driver so as to prevent an interceptor of the keystrokes from retrieving information contained in the keystrokes; (d) sending the altered keystrokes to the application; and (e) restoring the altered keystrokes to their original form using the application.
 37. A system for securing keystrokes from being intercepted between a keyboard and an application on a computing device, the system comprising: a proprietary keyboard driver running on the computing device for: handling keystrokes generated by the keyboard; retrieving the keystrokes, wherein retrieving the keystrokes includes bypassing a non-proprietary keyboard driver and a system message queue associated with the computing device such that the keystrokes are processed by the proprietary keyboard driver and are not processed by the non-proprietary keyboard driver or by the system message queue; altering the keystrokes using the proprietary keyboard driver so as to prevent an interceptor of the keystrokes from retrieving information contained in the keystrokes; and sending the altered keystrokes to the application; and the application running on the computing device for receiving and restoring the altered keystrokes to their original form. 